Stored Cross-Site Scripting Vulnerability in MainWP Dashboard
CVE-2016-15041

7.2HIGH

Key Information:

Vendor: Wordpress
Status: MainWP Dashboard: WordPress Management Without The Saas
Vendor: CVE Published:; 16 October 2024

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2016-15041?

The MainWP Dashboard plugin for WordPress is affected by a Stored Cross-Site Scripting vulnerability that emerges from inadequate input sanitization and output escaping. This flaw involves the 'mwp_setup_purchase_username' parameter, allowing unauthenticated users to inject malicious web scripts. When users access compromised pages, these scripts execute, potentially leading to unauthorized actions and exposure of sensitive information. Users of MainWP Dashboard versions up to 3.1.2 are urged to review and implement appropriate security measures to mitigate risks associated with this vulnerability.

Affected Version(s)

MainWP Dashboard: WordPress Management without the SaaS * < 3.1.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2016-15041-mainwp-dashboard
Created by flame-11

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://klikki.fi/adv/mainwp.html

https://www.acunetix.com/vulnerabilities/web/wordpress-pl...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Dec 25, 2025
👾
Exploit known to exist
Dec 25, 2025
Vulnerability published
Oct 16, 2024
Vulnerability Reserved
Oct 15, 2024

Credit

Jouko Pynnöne

JSON

Wordpress